Читаем CISSP Practice полностью

b. Change the cryptographic keys when employees leave the organization.

c. Protect data prior to signature generation/verification or encryption/decryption.

d. Provide the capability for local users to view all data that is being signed or encrypted.

110. b. It is a rule to follow in the operation and maintenance phase, not in the implementation phase. For example, cryptographic keys that are never changed, even when disgruntled employees leave the organization, are not secure. The other three choices are incorrect because they are the rules that guide the implementation of cryptography.

111. During the operation and maintenance phase of a system development life cycle (SDLC) as it relates to cryptography, which of the following requires configuration management most?

1. Hardware and firmware

2. System software maintenance and update

3. Application software maintenance

4. Cryptographic key maintenance

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

111. a. Configuration management (CM) is needed most for high-risk areas such as hardware and firmware and system software maintenance and update. CM ensures the integrity of managing system and security features through controlling changes made to a system’s hardware, firmware, software, and documentation. The documentation may include user guidance, test scripts, test data, and test results. The hardware and firmware maintenance scope covers adding new capabilities, expanding the system to accommodate more users, replacing nonfunctional equipment, changing platforms, and upgrading hardware components. The system software maintenance and update scope includes adding new capabilities, fixing errors, improving performance, and replacing keys.

The application software maintenance scope covers updating passwords, deleting users from access lists, updating remote access, and changing roles and responsibilities of users and maintenance personnel, which are mostly routine in nature. The cryptographic key maintenance scope includes key archiving, key destruction, and key change, as it is mostly done in the disposal phase.

112. During the operational phase of cryptography, key recovery means which of the following?

1. Acquiring keying material from backup

2. Acquiring keying material by reconstruction

3. Binding keying material to information

4. Binding keying material to attributes

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

112. a. Acquiring the keying material from backup or by reconstruction is commonly known as key recovery. The other items deal with key registration, which results in the binding of keying material to information or attributes associated with a particular entity. A trusted third party (for example, Kerberos realm server or a PKI certification authority) performs the binding.

113. During the operational phase of cryptography, which of the following keying material does not require backup storage?

a. Domain parameters

b. Passwords

c. Audit information

d. Random number generator seed

113. d. The keying material backup on an independent, secure storage medium provides a source for key recovery. Keying material maintained in backup should remain in storage for at least as long as the same keying material is maintained in storage for normal operational use. Not all keys need be backed up. For example, random number generator (RNG) seed need not be backed up because it is a secret value that is used to initialize a deterministic random bit generator. In addition, storing the RNG seed would actually decrease the security of the keys by increasing the risk of the material being used to reverse-engineer the keys.

Domain parameters are incorrect because they can be backed up. It is a parameter used with some public key algorithm to generate key pairs, to create digital signatures, or to establish keying material. Passwords are incorrect because they can be backed up. A password is a string of characters (for example, letters, numbers, and other symbols) that are used to authenticate an identity or to verify access authorization. Audit information is incorrect because it can be backed up and can be used to trace events and actions.

114. During the post-operational phase of cryptography, which of the following keying material does not require archive storage?

a. Initialization vector

b. Audit information

c. Passwords

d. Domain parameters